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© Method for blockwise encryption/decryption using linear algebraic codes. 



© Method for blockwise encipherment, decipher- 
ment in a cry ptosy stem. A message block (x) of n 
message symbols is enciphered into a cryptogram 
(Y) of length n. A first sub-block (x A '). a selection 
(o A ) of k<n message symbols from the message 
block to be enciphered is converted into a code 
word (c) of length n with the aid of a kxn encipher- 
ing matrix (E) of rank k, which generates a randomly 
chosen error-correcting (n, k) linear code C. By 
means of a second sub-block (x B '). formed by the n- 



k remaining message symbols (a B ), a syndrome 
vector (s) of length n-k is determined, by means of 
which, from a given set of syndrome/error vectors 
(t), a unique error vector (2) of length n is deter- 
mined which is then added to the code word to form 
the cryptogram (y). 

Thanks to the method, the information rate be- 
tween the sender and recipient is R = 1, and block- 
wise and repeated enciphering is possible. 
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A. Background of the invention 

1 . Held of the invention 

The invention is in the field of cry ptosy stems. 
More in particular, it relates to a method for block- 
stream encipherment and decipherment of mes- 
sages based on algebraic coding methods, making 
use of secret key elements. 

2. Prior art 

For the purpose of making secure the ex- 
change of information via communication channels 
in communication networks, cryptosystems in 
which encipherment and decipherment takes place 
on the basis of algebraic coding methods, are 
known per se. Thus, reference [1] and references 
[2] and [3] describe, respectively, a "public key" 
cry ptosy stem and a "secret key" cryptosystem, 
which employ error-correcting codes. This involves 
applying an enciphering scheme in which a mes- 
sage to be sent of length k is converted into a 
cryptogram by, with the aid of a code generator, 
first converting the k message symbols into a code 
word or code vector of length n>k according to 
such an error-correcting code and then arranging, 
artificially as it were, in the code vector obtained, 
by addition with an error vector, an error pattern 
which is to be corrected subsequently. In so doing, 
the error vector is chosen randomly from a set of 
error vectors which represent error patterns which 
can be corrected with the aid of the given code. 
The cryptosystem disclosed by reference [1] em- 
ploys an error-correcting code, in this case the 
Goppa code which is able to correct randomly 
chosen error vectors of Hamming weight St. The 
cryptosystem disclosed by references [2] and [3] 
applies error-correcting codes, in this case BCH 
codes having a length of nS250 bits and a mini- 
mum distance d£6, the error vectors being chosen 
randomly from a previously specified (secret) set of 
error codes having a Hamming weight of approxi- 
mately n/2. On the receiving side the cryptograms 
are decoded, in which process the added error 
pattern is first determined uniquely from the cryp- 
togram, whereupon the code word can be decoded 
into the original message. In a "public-key" cryp- 
tosystem the code generator is public in "scram- 
bled" form, in a "secret-key" cryptosystem it is 
not. Since rapid decoding algorithms exist for error- 
correcting codes of this type, high enciphering 
rates (£ tM bits/sec) can be accomplished. Refer- 
ence [4] discloses a "public-key" cryptosystem of 
this type, in which the fact that it is possible to 
retrieve on the receiving side the artificially added 
error pattern in a unique manner, is utilized either 
to transmit additional ("secondary" message) in- 



formation such as an authentication code, or to 
actively use part of the error pattern for error 
correction on the communication link. 

A cryptosystem based on enciphering 
5 schemes of this type has the following significant 
drawbacks: 

- the (primary) information rate R between 
sender and recipient is k/n, is therefore al- 
ways less than 1 ; 

70 - because k*n, current methods for block- 
stream encipherment are not applicable di- 
rectly, and repeated encipherment is not pos- 
sible. Moreover, the enciphering scheme, 
owing to an inherent linearity is insecure as 

75 such. Although reference [3], more in particu- 

lar section III. B., provides a suggestion of 
overcoming this drawback, specifically by 
employing non-linear codes, this does have 
the drawback that the simplicity of the use of 

20 linear codes is lost. 

B. Summary of the invention 

The object of the invention is to provide a 

25 method for blockstream encipherment and de- 
cipherment, based on algebraic coding methods, 
employing "secret-key" elements, which method 
does not have the abovementioned drawbacks. 
The invention is based on the following insight. 

30 For a correcting code a parity-check matrix is cho- 
sen at the same time, by means of which it is 
possible to determine, on the receiving side, 
whether a transmitted code vector has or has not 
come across without error. Multiplication of the 

35 parity-check matrix with a correctly received code 
vector (of length n) results in the null vector of 
length n-k, with an incorrectly received code vec- 
tor, however, in a residual vector *0 of length n-k, 
known as syndrome vector. In a "secret-key" cryp- 

40 tosystem, the set of error vectors, from which a 
random choice is made on the sender side, is 
secret and composed in such a way that for every 
possible syndrome vector, which may be the result 
of the parity check on the receiving side, only one 

45 error vector exists and that all the error vectors are 
different. This forms the basis of the fact that it is 
possible to retrieve in a unique manner, on the 
receiving side, the error vector used on the send- 
ing side. Regarding n-k additional message sym- 

50 bols, directly or via an invertible transform, as a 
syndrome vector and using this, in a similar man- 
ner as on the receiving side, to determine, on the 
sending side as well, the error vector to be used, 
ensures that blocks are at all times enciphered into 

55 cryptograms having the same length. A random 
choice of an error vector on the sending side is 
retained in the process insofar as the n-k additional 
message symbols in different biocks are random 
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with respect to one another. 

A method for enciphering and deciphering 
messages to be transmitted, in a cry ptosy stem for 
making communication links secure, which method 
comprises a first sub-method for enciphering mes- 
sage data, the message data being converted in a 
blockstream manner into cryptograms suitable for 
transmission over a communication link to be made 
secure, and a second sub-method for deciphering 
received cryptograms, in which the message data 
are recovered, according to the invention, to this 
end, comprises the steps according to Claim 1. 

In a first preferred embodiment, the method 
moreover comprises the step according to Claim 2, 
and in a second preferred embodiment the step 
according to Claim 3. This overcomes the 
drawback of the linearity of the enciphering 
scheme, while linear codes can nevertheless be 
used. 

Reference [6] discloses that the Rao- Nam 
scheme has a certain vulnerability to particular so- 
called "chosen-plaintext" attacks, and that the de- 
gree of vulnerability to these can be reduced by 
arranging for the enciphering step with the matrix E 
on the sending side to be preceded by a transform 
of the message vector with a secret invertible non- 
linear function which, moreover, can be chosen to 
be dependent on the selected error vector. In a 
preferred embodiment, the method according to 
the invention further comprises the step according 
to Claim 4. 

Additional advantages of enciphering and de- 
ciphering schemes according to the invention to be 
mentioned are that there is no restriction of the 
Hamming weight of the error vectors to be used 
and that encipherment of a null message (i.e. the 
message vector containing exclusively null sym- 
bols) and of a unit message (i.e. a message vector 
having only one message symbol and for the rest 
null symbols) does not make a cryptosystem 
based on these enciphering schemes insecure, at 
least does not demonstrably reduce the security. 

C. References 

[1] R. J. McEliece: "A public-key cryptosystem 
based on algebraic coding theory", DSN 
Progress Report 42-44, Jet Propulsion Labora- 
tory, Pasadena, pp. 114-116, January 1978; 
[2] T.R.M. Rao and K.-H. Nam: "Private-key 
algebraic cryptosystems", in: Advances in Cryp- 
tology - CRYPTO '86. New York: Springer-Ver- 
lag, 1986, pp. 35-48; 

[3] T.R.N. Rao and K.H. Nam: "Private-key al- 
gebraic-code encryptions", IEEE Trans. Inform. 
Theory, vol. IT-35, no. 4, pp. 829-833, July 
1989; 

[4] USA-A-5,054,066 
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[5] J. Meijers and J. van Tilburg: "Extended 
majority voting and private-key algebraic-code 
encryptions", ASIACRYPT f 91 Fujiyoshida, Ja- 
pan, November 1991; 

[6] R. Struik and J. van Tilburg: "The Rao-Nam 
scheme is insecure against a chosen-plaintext 
attack", in: Advances in Cryptology - CRYPTO 
*87. New York: Springer-Verlag, 1987, pp. 445- 
457. 

D. Brief description of the drawing 



The invention will be explained below in more 
detail in a description of several illustrative embodi- 
es ments. In so doing, reference will be made to a 
drawing containing the following figures: 

FIG. 1 shows, in a block diagram, an 
overview of a current cryptosystem 
on the basis of a secret key; 
20 FIG. 2(a) shows, for the cryptosystem shown 
in Figure 1, a known enciphering 
scheme based on an algebraic 
coding method; 
FIG. 2(b) shows a known deciphering 
25 scheme corresponding to the en- 

ciphering scheme shown in Figure 
2(a); 

FIG. 3(a) shows, for the cryptosystem shown 
in Figure 1 , an enciphering scheme 
30 based on an algebraic coding 

method according to the invention; 

FIG. 3(b) shows a deciphering scheme cor- 
responding to the enciphering 
scheme shown in Figure 3(a) ac- 
35 cording to the invention; 

FIG. 4(a) shows, in diagrammatic form, a 
specific embodiment of the enci- 
phering scheme according to Fig- 
ure 3(a); 

40 FIG. 4(b) shows, in diagrammatic form, a 
specific embodiment of the deci- 
phering scheme according to Fig- 
ure 4(a). 

45 E. Description of an illustrative embodiment 

Cryptographic systems, or more briefly cryp- 
tosystems, are used for making communication 
links such as, for example, in telecommunication 

so networks secure. There are "public-key" cryp- 
tosystems and "secret-key" cryptosystems. The 
invention relates to a "secret-key" cryptosystem, in 
which algebraic coding methods are used for enci- 
phering and deciphering messages to be transmit- 

55 ted. In a "secret-key" cryptosystem, messages to 
be transmitted over a communication link are enci- 
phered and deciphered on the basis of a secret 
key or a number of secret key elements. Figure 1 
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depicts the essential components of a cryp- 
tosystem of this type. A message m generated on 
the sending side by a message sender 1 is enci- 
phered in an enciphering unit 2 by means of an 
enciphering algorithm ENC into a cryptogram y 
which is then transmitted via a communication link 
3. On the receiving side of the communication link 
3. the cryptogram y is deciphered again in a de- 
ciphering unit 4 by means of a deciphering al- 
gorithm DECinto the original message m which is 
then presented to the recipient 5. 
This can be expressed symbolically by: 

ENC(m,k) = y and DEC(y.k) = m {1} 

In this process, the enciphering and deciphering 
algorithms depend on an identical secret key k 
which has previously been generated by a key- 
managing agency 6 and has been supplied via a 
secure route 7 to the enciphering and deciphering 
units 2 and 4. 

Reference [3], more in particular page 831 in 
sections ILB. and II.C, discloses an enciphering 
scheme on the basis of an algebraic coding meth- 
~-od and a corresponding deciphering scheme. Ref- 
erence [5], more especially section 3, discloses a 
formulation which is equivalent thereto. The de- 
scription of the illustrative embodiments is based 
on said equivalent formulation. Although said for- 
mulation also holds good, more generally, over 
finite bodiesjf q with q>2, the formulation, as there, 
for the sake of the simplicity of the further descrip- 
tion, is limited to the finite bodyJ 2 , the binary case 
therefore. 

Given, as secret key elements, are: 

- a kxn enciphering matrix E of rank k with its 
right inverse E" R for which EE" R = l k holds 
good, where Ik is the kx k identity matrix; 

- an J (h-k)xn' matrix D of rank n-k which is a 
parity-check matrix corresponding to the ma- 
trix E, in such a way that ED T = 0, where D T 
represents the transpose of the matrix D and 
O represents the kx(n-k) null matrix; 

- a so-called syndrome/error vector table T = 
{(s,z) | s = zD T , ztW}, where W is a set of 
error vectors z of length n, said table being 
composed in such a way that corresponding 
to each different syndrome vector s of length 
n-k there is only one different error vector z. 
Instead of the syndrome/error vector table T 
it is also possible, as is known (see reference 
[3], more especially section III. B. on page 
833), to use a secret function t with indepen- 
dent variables, chosen on the basis of the 
unique syndrome/error vector combinations 
which would otherwise be selected for the 
composition of the table T; therefore t(s) = z 
for all (s,z>T. 



Reference [6] discloses that the Rao-Nam 
scheme has a certain vulnerability to particular so- 
called "chosen-plaintext" attacks, and that the de- 
gree of vulnerability to these can be reduced by 

5 arranging for the enciphering step with the matrix E 
on the sending side to be preceded by a transform 
of the message vector with a secret invertible non- 
linear function which, moreover, can be chosen to 
be dependent on the selected error vector. Written 

w symbolically, this is a function f(m,z), which con- 
verts the message vector m into a transformed 
message vector m' of the same length. 

Starting from said key elements, a message m 
of length k, called message vector m, is enci- 

75 phered into a cryptogram y of length n according 
to the scheme: 

y = f(m,z)E + z = m/E + z = c + z {2} 

20 where z is chosen randomly from the set W; and 
the cryptogram y is deciphered according to the 
scheme: 

(i) calculate the syndrome vector: yD T = zD T = 

s; 

25 (ii) determine in the table T, for the calculated s, 
the unique error vector z; 

(iii) calculate the transformed message vector: 

(y + z)E" R = cE" R = m'; N.B. in the binary 
case, "subtraction" by coordinates is identical to 
30 "addition" by coordinates; 

(iv) calculate the original message vector: f -1 
(m\z) = m. 

Figure 2(a) and Figure 2(b) show the respective 
block diagrams for these known enciphering and 

35 deciphering schemes. 

Since schemes of this type, based on an error- 
correcting code, always involve the conversion of a 
number of k message symbols into a code word of 
n symbols, encipherment and decipherment is al- 

40 ways effected in a blockstream manner. 

These known schemes have the limitation, 
however, that the length (k) of the message vector 
m to be enciphered is smaller than the length (n) of 
the cryptogram. As a result, the information rate 

45 R = k/n between sender and recipient is always 
smaller than 1, current methods for blockstream 
encipherment are not directly applicable, and re- 
peated enciphering is not possible. If the same 
syndrome/error vector table T (s,z) or a table func- 

50 tion t equivalent thereto with function values {t(s) 
= z | (?,z)<T} is also present on the sender side, 
the choice of a random error vector z may be 
made by, for example, using a "random" generator 
to determine a syndrome vector s, the correspond- 

55 ing error vector z then being determined by means 
of the table or the function. The length of the 
syndrome vector s, as it happens, is precisely n-k. 
If, then, n-k additional message symbols are in- 
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volved in the encipherment, therefore a total of n 
message symbols, of which k symbols, at least 
primarily, are treated according to the known enci- 
phering scheme and the remaining n-k symbols are 
used to determine the syndrome vector s to find its 
corresponding error vector z, said limitation is lift- 
ed. Block diagrams of enciphering and deciphering 
schemes based on this thought are depicted in 
Figure 3(a) and Figure 3(b). 

Given as enciphering and deciphering ele- 
ments are: 

- a first invertible non-linear function g(x) = x f 
and a second invertible non-linear function h- 
(y) = y, which convert vectors x and 
respectively, of length n into transformed 
vectors x' and y, likewise of length n; 

- a first selection function o A (x) = x A , which 
converts a vector x of length n into a first 
part-vector x A of length k<n as follows: if x = 
(xi.X2.--.Xn). then x A = (x ai .x^,— ,x ak ), where 
A = {a1,a2, — ,ak} is a subset of the set of 
coordinate indices {1,2.— ,n}. In other words, 
o A forms, from a presented vector, the first 
partvector by selecting vector coordinates 
therefrom according to a given selection pat- 
tern; 

- a second selection function o B (x) = x B , which 
converts a vector x of length n into a second 
part-vector x B of length n-k as follows: if x = 
(xi,x 2 ,~,x n ), then x B = (x b i,Xb2,— ,x Wn - k ), - 
where the set B = {b1, b2, — , b(n-k)} is like- 
wise a subset of the set of coordinate indices 
{1,2,— ,n}. but complementary to the set A. 
Therefore, o B in fact does the same as o Al 
but forms the second part-vector from the 
"remaining" vector coordinates of the pre- 
sented vector; 

- a reconstruction function c^b'Mxa.xb) = x, 
which reconstructs, from two presented part- 
vectors x A and x B , respectively of length k 
and n-k, the vector x, for which the relation- 
ships o A (x) = x A and o B (x) = x B holds good; 
which function therefore in fact forms the 
inverse of the functions o A and o B used in 
combination; 

- a kxn enciphering matrix E of rank k, with its 
right inverse E" R ; 

- an (n-k)xn matrix D of rank n-k which is a 
parity-check matrix corresponding to the ma- 
trix E, such that the relationship ED T = O 
holds good, i.e. the kx(n-k) null matrix, where 
D T represents the transpose of the matrix D; 

- a syndrome/error vector function t(s) = z, 
which converts a presented syndrome vector 
s of length n-k into an error vector z*W, 
where W c y 2 n with the property: if 21.22, e 
W, then (z, +z 2 )D T + 0; in this case the 
function t is constructed in such a way that, 



corresponding to each different syndrome 
vector s of length n-k, there is a different 
error vector z; 
- a third invertible non-linear function f(x Af z) = 
5 m, which converts a vector x A of length k as 

a function of a given vector z of length n into 
a vector m of length k. 
The enciphering scheme for the encipherment 
of a message vector x of length n into a cryp- 
10 tog ram y of the same length comprises the follow- 
ing steps: 

e(i) calculate the vector x' = g(x) of length n; 
e(ii) determine the first part-vector x A ' = o A (x') 
of length k and the second part-vector x B = o B - 

15 (x') of length n-k; 

e(iii) choose the second part-vector as the syn- 
drome vector: s = x B \ and determine the error 
vector z = t(s) of length n; 
e(iv) calculate the vector m = f(x A ',z) of length 

20 k; 

e(v) calculate the vector y 1 = mE + z of length 
n; 

e(vi) calculate the vector y = h(y'). 
Figure 3(a) shows a block diagram of this encipher- 
25 ing scheme. 

A deciphering scheme corresponding to this 
enciphering scheme, for deciphering the crypto- 
gram y into the original message vector x of length 
n comprises the following steps: 
30 d(i) calculate the vector y f = h~ 1 (y) of length n; 
d(ii) calculate the syndrome vector s = y'D T of 
length n-k; 

d(iii) determine the error vector z = t(s) of 
length n; 

35 d(iv) calculate the vector m = (y' - z)E" R of 
length k; 

d(v) calculate the vector x A * = f -1 (m,z) of 
length k; 

d(vi) determine the vector x' = ^"'(x/.xy) of 
40 length n, wherein vector x B ' = s, the syndrome 
vector calculated in step d(ii), is chosen; 
d(vii) calculate the vector x = g -1 (x') of length 
n, the original message vector. 
Figure 3(b) shows a block diagram of this decipher- 
45 ing scheme. 

The invertible non-linear functions f, g and h 
can be chosen, as is usual, as a function of secret 
keys ka, kb and kc, respectively, symbolically des- 
ignated by f ka , g kb , and h^. In the most general 
50 embodiment of these enciphering/deciphering 
schemes, the keys ka, kb and kc, the selection sets 
A and B, the matrix E (including implicitly the 
matrix D) and the syndrome/error vector function t- 
(s) form the secret key elements. The functions g 
55 and h are preferably chosen to be each other's 
inverse, and the selection sets A and B are chosen 
to be fixed. 
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A syndrome vector s of length n-k can be 
written as follows: 

S = (S,,S 2 ,~Sn-k) = ElSttn-kSjU 0 * {3} 

for i = 1 ,-,n-k. and where u c> is the i-th unit vector 
of length n-k (i.e. the vector having a 1 on the i-th 
coordinate position and zeros on the remaining n-k- 
1 coordinate positions). The n-k unit vectors u (i) are 
in fact the unit syndrome vectors which span the 
syndrome vector space. In the case of given ma- 
trices E and D, for which the relationship ED T = 0 
holds good, it is necessary to determine, for each 
unit syndrome vector u (i) of the code C generated 
by the matrix E, an error vector z (i> for which the 
following relationship must hold good: 

z (i >D T = u {i) where 1£i:Sn-k {4} 

where z^z® for i*j. The equation {4} implies, for 
each 1£i£n-k, a system of n-k equations with n 
unknowns, so that each error vector z (i} can be 
chosen freely within the constraints set by the n-k 
equations. Combination of the equations {3} and 
{4} gives: 

^Euto-kSyW = Ei Sttn - k S^D 7 = zD T {5} 

from which it follows that 

Z^ISfcn-kSiZW, 

which can be written as 
z = sZ {6}, 

where 2 is an (n-k)xn matrix, of which the n-k rows 
are formed by the. vector coordinates of the n-k 
selected error vectors z (i> . The matrix Z is thus a 
simple implementation of the table function t (with 
t(s) = 2). 

The enciphering and deciphering schemes accord- 
ing to the invention can be implemented both in 
hardware and in software by conventional means. 
Hardware implementation is to be preferred at high 
enciphering rates, while a software implementation 
permits a higher degree of flexibility. 

Example 1. 

The example involves an encipherment of bi- 
nary blocks of length 32, each block in turn being 
processed subdivided into sub-blocks of length 8, 
that is byte- wise. To this end, a 32-bit vector x to 
be enciphered is notated as x = (xi ,X2,X3,xa), 
therefore partitioned into subvectors of 8 bits, each 
subvector x f = (x 8 j-7>x 8 j-6.— ,x 81 ) for i = 1.-.4 
representing an 8-bit vector. This notation is used 



10 



hereinafter. 

The enciphering matrix E is an 8x32 matrix of full 
rank (in this case rank 8). The parity-check matrix 
D is a 24x32 matrix, for which the relationship ED T 
5 = O, the 8x24 null matrix, holds good. The table 
function is implemented by a 24x32 matrix Z 
which has been obtained in the manner specified 
above. 

For the selection function o A . the set A = 
io {25,-,32}, and for the selection function o B , the set 
B » {1.-.24}. 

The invertibje non-linear functions fio, g k b and h kc , 
which depend on keys ka ( kb and kc, can be 
readily implemented, as is known and conventional, 

75 with the aid of substitution functions. A substitution 
function S, sometimes also called S box, consists, 
for 8-bit sub-block processing, of a row of all the 
256 different 8-bit elements. For each 8-bit subvec- 
tor w there is thus a unique 8-bit subvector v, so 

20 that w = S(v) and v = S" 1 ^) hold good. 

The keys ka, kb and kc are binary bit sequences 
and are therefore also notated as vectors ka, kb 
and kc. partitioned into 8-bit subvectors. In this 
example they have been chosen as follows: ka is 

25 an 8-bit vector, and kb = kc are 32-bit vectors. 

The function f ka converts, with the aid of a pre- 
viously determined error vector z, the part-vector 
x A ' according to: 

30 f k a(x A \2) = (S(x A1 ' + zi + kai)) = (nrh) = m, 

while for the inverse the following holds good: 

^"'(rn.z) = (S-^mO + + kai) = (V) = x*. 

35 

The function g kb converts the message vector x 
according to: 

9kb(x) = (S(xi + kbi),~,S(x+ + kb 4 )) = 

40 (Xl\— .X*') = X\ 

The function h kb is chosen equal to the inverse of 
the function g k b, i.e. the function h kb converts the 
vector y' into the cryptogram y according to: 

45 

My 1 ) = (S-^yO+l^.-s-MyO + kbO = 
(yj.— ,y«) = y. 

The secret key elements are the key vectors ka 
so and kb and the matrices E (including, implicitly, 
matrix D) and Z. 

The enciphering scheme according to this example 
is depicted in Figure 4(a). The message vector x to 
be enciphered is placed into a first memory block 
55 41 with four byte positions, one for each of four 
subvectors x } of- x. From the memory block 41 , the 
four subvectors are each separately presented to a 
first substitution block 42, wherein the presented 
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subvectors Xj are converted into subvectors x/ ac- 
cording to the function g^. In order to perform this 
conversion operation in a byte-wise manner, the 
substitution block 42 consists of four S boxes SG1 
to SG4 inclusive. Said S boxes are chosen to be 
mutually identical, in accordance with the chosen 
function g kb , but a presented subvector xi first has 
a corresponding subvector kb; of the supplied key 
kb added to it, before substitution takes place. This 
is specified in the figure by the arrow KB. The 
substitution results are placed into a second mem- 
ory block 43, likewise with four byte positions for 
the subvectors x,\ In accordance with the selection 
scheme defined by the chosen sets A and B, the 
first three subvectors of the vector x' serve as the 
syndrome vector s and, to this end, are placed into 
a third memory block 44 with three byte positions, 
while the fourth subvector x 4 ' is placed into a fourth 
memory block 45 with one byte position, to form 
the first part-vector x A \ The syndrome vector s is 
subjected in its entirety, in a matrix block 46, to a 
matrix multiplication with thn matrix Z, which re- 
sults in an error vector z of length 32, whose 
subvectors z, are placed into the four byte posi- 
tions of a fifth memory block 47. In an adder 48, 
the part-vector in the fourth memory block 45 and 
the part-vector in the first byte position of the fifth 
memory block 47 are added <m a binary and co- 
ordinate-wise manner). The result of the addition is 
presented to a second substitution block 49 and 
converted into a subvector m, according to the 
function f^. The substitution block 49 consists of 
one S box SF1. Said S box. in accordance with the 
chosen function f ka , is chosen to be identical to the 
S box from the first substitution block 42, but in 
this case, too, the subvector presented by the 
adder 48 first has the only subvector kai of the 
supplied key ka added to it, before substitution 
takes place. This is specified in the figure by the 
arrow KA. The substitution result, the subvector mi , 
is placed into a sixth memory block 50 with one 
byte position. The subvector mi is subjected in its 
entirety, in a second matrix block 51, to a matrix 
multiplication with the matrix E, which results in a 
code vector c of length 32, whose subvectors 9 are 
placed into the four byte positions of a seventh 
memory block 52. In the adders 53, 54, 55 and 56, 
the part-vectors 9 of. the code vector c from the 
seventh memory block 52 are added to the cor- 
responding part-vectors Z\ of the error vector 2 
from the fifth memory block 47. The result of the 
addition, the vector y' with the part-vectors yi', is 
placed into an eighth memory block 57 with four 
byte positions. From the memory block 57, the four 
subvectors y{ are each separately presented to a 
third substitution block 58, in which the presented 
subvectors y/ are converted into subvectors yi ac- 
cording to the function g k b -1 - For the purpose of 



byte-wise execution of this conversion, the sub- 
stitution block 58 consists of four S boxes SGI -1 to 
SG4~\ inclusive. Said S boxes, in accordance with 
the chosen function gwT\ are chosen to be mutu- 

5 ally identical and form the inverse of the S box 
used in the first substitution block 42. Moreover, 
the substitution result of a presented subvector y/ 
has a corresponding subvector kbj of the supplied 
key kb added to it. This is specified in the figure 

10 by the arrow KB. The substitution results are 
placed into a ninth memory block 59, likewise with 
four byte positions. They form the part-vectors y } of 
the cryptogram y. 

The corresponding deciphering scheme is de- 

75 picted in Figure 4(b). The designations therein 
completely match those in Figure 4(a), so that a 
mere enumeration of the numbered components is 
provided. The diagram incorporates: 

- six memory blocks, 61, 63, 67, 72, 77 and 79 
20 with four byte positions each for the subvec- 
tors of the vectors y, y\ 2, c, x' and x, 
respectively; 

- a memory block 65 with three byte positions 
for the syndrome vector s; 

25 - a memory block 74 with one byte position for 
the vector mi ; 

- two substitution blocks 62 and 78, identical to 
the substitution blocks 42 and 58, respec- 
tively, in the enciphering scheme of Figure 4- 

30 (a), for converting the vectors y into y\ and x f 

into x, respectively; 

- a substitution block 75 which is the inverse of 
the substitution block 49 in the deciphering 
scheme of Figure 4(a), for converting the 

35 subvector mi ; 

- four adders 68 to 71, inclusive, for byte-wise 
addition of the vector y' and the error vector 
z; 

- an adder 76 for adding the first subvector zi 
40 of the error vector 2 and the subvector mi 

converted in the substitution block 75; 

- three matrix blocks 64, 66 and 73 for per- 
forming matrix multiplications with the ma- 
trices D T , Z and E" R , respectively, on the 

45 vectors y\ s and c according to: 

y'D T = s, sZ = 2, and cE" R = mi. 

The specific choice of the function h kc as the 
so inverse of the function g kb is advantageous in the 
case of repeated enciphering, where the content of 
the memory block 57 is repeatedly placed, for a 
previously determined number of times, into the 
memory block 43, before this is presented to the 
55 substitution block 58 to obtain the actual cryp- 
togram y to be transmitted. It goes without saying 
that on the deciphering side it is necessary to 
decipher for the same number of times by feeding 
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the content of memory block 77 back to the mem- 
ory block 63 each time. This number of times can 
be derived, for example, from one of the key ele- 
ments according to a predetermined procedure. 
Given the generator matrix G of an (n,k) linear code 5 
C in canonic form: G = [l|Q], where I is the kxk 
identity matrix and Q is a kx(n-k) matrix. For the 
corresponding parity-check matrix H the relation- 
ship: H = [-Q T |I] then holds good, from which it 
can be seen directly that: GH T = O kin -k, the kx(n: 10 
k) null matrix. Of the matrix 2, by means of which, 
for a given syndrome vector, a unique error vector 
can be calculated from a limited set of error vec- 
tors, a kind of canonic form can likewise be defined 
by: 75 
2 0 = [On-k,k|ln-J> where O n _ ktk is the (n-k)xk null 
matrix and l n - k is the (n-k)x(n-k) identity matrix and 
from which it is immediately found that: 2 C H T = 

ln-k- 

Starting from a given generator matrix G in canonic 20 
form, an arbitrary enciphering matrix can be con- 
structed for the (n f k) linear code C by: 
E = SGP, where S is an invertible kxk matrix and 
P is an nxn permutation matrix. In order to avoid 
long key elements such as S and P, it is known to 25 
generate these on the basis of keys of limited 
length, so-called "short seeds" (see reference [3], 
more especially the "note" in section II.C, p. 831). 
An S box can likewise be generated on the basis, of 
a short seed of this type. 30 

Example 2 

Applied to the above-described embodiment of . 
Example 1 this means that, for given key elements 35 
ka, kb, kd, ke, kf and kg, and for a given generator 
matrix G of the (32,8) linear code C, the matrices 
E, D and Z are first determined in a number of 
preliminary steps as follows: 

(1) determine, on the basis of the key element 40 
kd, a first invertible 8x8 matrix S k( j and, on the 
basis of the key element ke, a second invertible 
8x8 matrix Sk e ; 

(2) determine, on the basis of the key element 

kf, a 32x32 permutation matrix P k) ; 45 

(3) calculate the enciphering matrix E according 
to: E = S kd GP Vf ; 

(4) calculate the parity-check matrix D according 
to: D = HP kf ; 

(5) calculate the matrix 2 according to: Z = 50 
ZoPkt + S ke E. 

(6) generate, on the basis of the key element kg, 
an 8-bit S box. 

Here again, the relationships: ED T = 0 and ZD T = 
Z 0 H T hold good. 55 

It should be mentioned expressly, that the en- 
ciphering matrix E may represent a randomly cho- 
sen linear (n,k) code C, as long as it is always true 



that the matrix E is a matrix , of full rank. The 
minimum distance between the code words does 
not matter. Even if a canonic form of the generator 
matrix G is used as a starting point for a linear 
code, the matrix Q can be chosen randomly, for 
example on the basis of an additional key element 
kh. 

Claims 

1. A method for enciphering^ and deciphering 
messages in a cryptosystem for making com- 
munication links secure, which method com- 
prises a first sub-method for enciphering mes- 
sage data, the message data being converted 
in a biockstream manner into cryptograms suit- 
able for transmission over a communication 
link to be made secure, and a second sub- 
method for deciphering received cryptograms, 
in which the message data are recovered, 
which first sub-method, for enciphering com- 
prises the following steps: 
- - converting message data to be transmit; 

ted into blocks of n message symbols, 
thus forming message vectors with n 
vector coordinates, 

- splitting each, message vector into a first 
part-vector of length k and a second f ._ 
part-vector of length n-k, the n vector 
coordinates of the message vector hav- 
ing selected therefrom k vector coordi- 
nates for the vector coordinates of the 
first part-vector and the remaining n-k 
vector coordinates for the vector coordi- 
nates of the second part-vector, accord- 
ing to a previously specified selection 
scheme, 

- coding the first part-vector with the aid of 
a previously chosen kxn matrix (E) of full 
rank, which represents a generator matrix 
for an error-correcting code.(C), forming 
a code vector of length n in the process, 

- selecting, in a unique manner, with the 
aid of the second part-vector, an error 
vector from a set of error vectors of 
length n, which set has previously been 
compiled with the aid of an (n-k)xn ma- 
trix (D) from error vectors, the matrix (D) 
representing a parity-check matrix for the 
error-correcting code (C) and the error 
vectors each representing a different er- 
ror pattern which can be corrected with 
the aid of the code (C), 

- determining, by adding the selected error 
vector and the code vector, a sum vector 
of length n for obtaining a cryptogram, 
and which second sub-method for de- 
ciphering comprises the following steps: 
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- reconstructing the second part-vector 
from the cryptogram by matrix multiplica- 
tion with the transpose of the parity- 
check matrix (D), 

- selecting, in a unique manner, with the 5 
aid of the second part-vector, the error 
vector from the set of error vectors, 

- reconstructing the code vector by binary 
addition of the cryptogram and the se- 
lected error vector, 10 

- reconstructing the first part- vector by de- 
coding the code vector with the aid of an 
nxk matrix which is the right inverse 
matrix of the generator matrix (E), 

- reconstructing the message vector by 75 
combining the decoded first and second ' 
part-vectors in accordance with a 
scheme which is the inverse of said se- 
lection scheme. 

20 

Method according to Claim 1, wherein, in the 
first sub-method, the message vector, prior to 
splitting, is converted, with the aid of a first 
invertible non-linear transform, into a trans- 
formed message vector of the same length, 25 
and in the second sub-method the reconstruc- 
tion of the message vector is effected by com- 
bining the coded first and second part-vectors, 
the transformed message vector being ob- 
tained, followed by a conversion with the aid of so 
a transform which is the inverse of said first 
invertible non-linear transform. 

Method according to Claim 1 or 2, wherein," in 
the first sub-method for obtaining the cryp- 35 
togram, the sum vector is converted, with the 
aid of a second invertible non-linear transform, 
into a transformed sum vector of the same 
length, and in the second sub-method the 
cryptogram, prior to the reconstruction of the 40 
second part-vector, is converted into the sum 
vector with the aid of a transform which is the 
inverse of the second invertible non-linear 
transform. 

45 

Method according to any one of the Claims 
1,--,3, wherein, in the first sub-method prior to 
the step of coding, the first part-vector is con- 
verted, with the aid of a third invertible non- 
linear transform which is a function of the error so 
vector selected with the aid of the second part- 
vector, into a transformed first part- vector, and 
in the second sub-method the step of recon- 
structing the first part-vector consists of the 
decoding, the transformed first part-vector be- 55 
ing obtained in the process, followed by a 
conversion with the aid of a transform which is 
the inverse of said third invertible non-linear 



transform. 

5. Method according to any one of Claims 1 ,—,4, 
wherein the kxn matrix E has previously been 
constructed by matrix multiplication of a non- 
singular kxk matrix (S), a kxn generator matrix 
(G) for an error-correcting code (C) and an 
nxn permutation matrix (P), and the step of 
reconstructing the second part-vector is per- 
formed by matrix multiplication with the trans- 
pose of the parity-check matrix (D) which has 
previously been constructed by matrix mul- 
tiplication of an (n-k)xn matrix (H), which is a 
parity-check matrix, corresponding to the gen- 
erator matrix (G), for the error-correcting code 

(C) , and the inverse (nxn) permutation matrix 
(P- 1 )- 

6. Method according to Claim 1, wherein the se- 
lection of the error vector is effected by matrix 
multiplication with an (n-k)xn matrix 2, for 
which it holds good that matrix multiplication 
with the transpose of the parity-check matrix 

(D) produces the (n-k) identity matrix (i.e. ZD T 

= In-k)- 

7. Method according to Claim 6, wherein the ma- 
trices E, D and Z have been generated pre- 
viously on the basis of a generator matrix G for 
the error-correcting code (C) in canonic form^ 
and a number of secret key elements of limit- - 
ed length. 

8. Method according to any one of Claims 3, 4 or 
5, wherein the invertible non-linear transforms 
are effected as a function of a secret key. 

9. Sub-method for blockstream encipherment of 
message data, suitable for use in the method 
according to any one of Claims 1 to 8 inclu- 
sive. 

10. Sub-method for deciphering cryptograms, suit- 
able for use in the method according to any 
one of Claims 1 to 8 inclusive. 
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